解析程序自己的附加数据,将附加数据写入文件中。
主要是解析PE文件头,定位到overlay的地方,写入文件。常应用的场景是在crackme中,crackme自身有一段加密过的附加数据,在crackme运行的过程中解析自己的附加数据,然后解密这段数据。。。。
代码留存:
//解析自己的PE文件 TCHAR szModuleFile[MAX_PATH] = {0}; ::GetModuleFileName(NULL, szModuleFile, MAX_PATH); HANDLE hFile = ::CreateFile(szModuleFile, 0X80000000, 0X1, NULL, 0x3, 0x80, NULL ); if (!hFile) { AfxMessageBox("create file error"); return ; } DWORD dwFileSize = 0; dwFileSize = ::GetFileSize(hFile, NULL); if (!dwFileSize) { AfxMessageBox("GetFileSize error"); return ; } TCHAR *pBuffer = new TCHAR[dwFileSize+1]; DWORD dwReadBytes = 0; BOOL bSuc = ::ReadFile(hFile, pBuffer, dwFileSize, &dwReadBytes, NULL); if (!bSuc) { AfxMessageBox("read file error"); return ; } IMAGE_DOS_HEADER *pDosHead =(IMAGE_DOS_HEADER *)pBuffer; IMAGE_NT_HEADERS *pNtHeader; // 得到PE文件头. pNtHeader = (IMAGE_NT_HEADERS*)((char*)pDosHead + pDosHead->e_lfanew); WORD wNumOfSection = pNtHeader->FileHeader.NumberOfSections; //DWORD dwTemp = wNumOfSection * (sizeof(IMAGE_SECTION_HEADER)/sizeof(DWORD)); WORD wSizeOfOptionalHeader = pNtHeader->FileHeader.SizeOfOptionalHeader; DWORD *pOverLay; DWORD *pLastSectionVirualAddress; DWORD *pLastSectionVirualSize; DWORD *pLastSectionPhyAddress, *pLastSectionPhySize; pLastSectionVirualSize = (DWORD*) ((char*)pNtHeader+ sizeof(IMAGE_NT_HEADERS) + (wNumOfSection-1)*sizeof(IMAGE_SECTION_HEADER) + sizeof(BYTE)*IMAGE_SIZEOF_SHORT_NAME ); pLastSectionVirualAddress = pLastSectionVirualSize + 1; pLastSectionPhyAddress = pLastSectionVirualSize + 2; pLastSectionPhySize = pLastSectionVirualSize + 3; DWORD dw1 = *pLastSectionPhyAddress; DWORD dw2 = *pLastSectionPhySize; pOverLay = (DWORD*)(dw1 + dw2 + pBuffer); DWORD dwOverlaySize = dwFileSize - (dw1 + dw2); HANDLE hOutFile = ::CreateFile("C:\\Users\\Administrator\\Desktop\\crackme.exe.overlay", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, NULL, NULL); if (!hOutFile) { return ; } DWORD dwWritten = 0; ::WriteFile(hOutFile, pOverLay, dwOverlaySize, &dwWritten, NULL); ::CloseHandle(hOutFile); if ((char *)pOverLay == 0x0) { AfxMessageBox("附加数据首字节为0"); return ; } ::free(pBuffer); ::CloseHandle(hFile);
原文:http://blog.csdn.net/xiaocaiju/article/details/27184465